On April 1st, President Obama issued an Executive Order authorizing sanctions against persons found to have engaged in or supported significant malicious cyber activities. Under the order, the Secretary of the Treasury is authorized to designate and impose sanctions on individuals and entities that are responsible for or complicit in certain cyber-related activities that pose a significant threat to the national security, foreign policy, economic health, or financial stability of the United States. The Executive Order focuses in particular on cyber activities that harm or compromise critical infrastructure, disrupt computers or computer networks, or misappropriate funds, information, or trade secrets. Although there were no initial designations made with the order, those designated for sanctions will be added to the Office of Foreign Assets Control’s (“OFAC”) List of Specially Designated Nationals and Blocked Persons. It will be unlawful for U.S. persons to engage in transactions with such persons, and any assets they have in the United States or in the control or possession of U.S. persons will be required to be frozen.

Significantly, in guidance released with the order, OFAC sets forth a strict liability framework and emphasizes that all U.S. persons, including technology companies and firms engaged in online commerce, must ensure they do not engage in unauthorized transactions or dealings with designated persons or entities owned by them. According to OFAC’s guidance, these entities should develop a tailored, risk-based compliance program, which may include sanctions list screening or other appropriate measures for various reasons; compliance procedures are an important factor considered by OFAC under its enforcement guidelines in the event of an offense.

BACKGROUND

The Executive Order follows a January 2015 executive order authorizing additional sanctions on the government of North Korea in the aftermath of the Sony Pictures hack. The order is premised on a Presidential finding that “the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.” In releasing the order, the White House stressed that “[e]very day, malicious actors are targeting our businesses, trade secrets and critical infrastructure, and sensitive information—and many of these attacks originate from outside our borders,” and said that sanctions pursuant to the order are a tool that “will allow us to respond appropriately, proportionately, and effectively to malicious cyber-enabled activities, and to deter others from engaging in similar activities.” The White House also emphasized that sanctions are just one of “a broad range of tools,” which also includes diplomatic engagement, trade policy, and law enforcement mechanisms, for addressing harmful cyber activity originating abroad.

THE EXECUTIVE ORDER

The Executive Order authorizes the freezing of assets of any individual or entity that is determined:

• to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of:
• harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
• significantly compromising the provision of services by one or more entities in a critical infrastructure sector; or
• causing a significant disruption to the availability of a computer or network of computers, or causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain;
• to be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;
• to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described above (or any person who has been targeted by sanctions under the authority of the Executive Order);
• to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person who has been targeted by sanctions under the authority of the Executive Order); or
• to have attempted to engage in any of the activities described above.

U.S. persons (and persons otherwise subject to U.S. jurisdiction) may not engage in trade or other transactions with the targets of sanctions (including any entity owned by such persons) and must block any asset of a sanctions target that comes within their possession or control. Persons who are targets of sanctions also will be denied entry into the United States.

There were no initial designations made with the Executive Order, so as of the order’s date, there are no persons actually sanctioned under this new authority.

In Frequently Asked Questions (“FAQ”) accompanying the Executive Order, OFAC explained that the Executive Order is intended to address situations where, for jurisdictional or other issues, significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government.[1] OFAC emphasized that the United States maintains a “whole-of-government” strategy to combat cyber threats, which draws from a broad range of tools and authorities to respond to the growing and evolving threat posed by malicious cyber actors, and similar to approaches to global threats from terrorists, narcotics traffickers, and transnational criminal organizations. OFAC intends to use financial sanctions in the fight against malicious cyber actors as a complement to existing tools, including diplomatic outreach and law enforcement authorities. Accordingly, OFAC will work in coordination with other U.S. government agencies to identify individuals and entities whose conduct falls within the parameters established by the Executive Order and will designate them for sanctions. Any such persons who are designated will be added to OFAC’s List of Specially Designated Nationals and Blocked Persons.

OFAC’s FAQ also indicated that it anticipates that regulations to help implement the Executive Order will be promulgated. In those regulations, OFAC expects that the term “cyber-enabled” activities will be defined to include, among other things, any act that is primarily accomplished through or facilitated by computers or other electronic devices. OFAC’s FAQ explains that these activities are often the means through which the specific harms enumerated in the Executive Order are achieved, including the compromise of critical infrastructure, denial of service attacks, or massive loss of sensitive information, such as trade secrets and personal financial information.

With regard to compliance, OFAC provided a warning for firms that facilitate or engage in online commerce and technology companies. OFAC stated that all U.S. persons, including firms that facilitate or engage in online commerce, are responsible for ensuring that they do not engage in unauthorized transactions or dealings with persons named on OFAC’s sanctions lists or who operate in jurisdictions targeted by comprehensive sanctions programs. According to OFAC’s guidance, these entities, including technology companies, should develop a tailored, risk-based compliance program, which may include sanctions list screening or other appropriate measures. OFAC explained that an adequate compliance solution will depend on a variety of factors, including the type of business involved, and there is no single compliance program or solution suitable for every circumstance. Engaging in transactions prohibited by sanctions is a strict liability offense, and compliance procedures are an important factor considered by OFAC under its enforcement guidelines in the event of an offense.

ENDNOTES

[1]     The FAQ explains that the Executive Order is intended to cover only malicious activities. It is not designed to prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities, such as efforts by researchers, cybersecurity experts and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors. Similarly, the order’s measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies, or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events, or to prevent or interfere with legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems or systems they are otherwise authorized to manage.

The preceding post is based on a memorandum prepared by Sullivan & Cromwell LLP and published on April 1, 2015.  The full memorandum is available here.